Today there exists solutions for automatically establish IPsec (Internet Protocol Security) relations between nodes as long as the IP addresses of the nodes and their interfaces in question are known in advance. The IP addresses can also be pre-configured in an intermediate transport network and provided upon request from nodes, which are in process of establishing IPsec relations. A DHCP (Dynamic Host Configuration Protocol) can be used to provide this type of information upon request. The IP addresses can therefore be provided using options in the DHCP.
The nodes involved in an IPsec relationship setup need to have individual node certificates. The individual node certificates are issued by a Certificate Authority (CA) of a public key infrastructure (PKI). The individual node certificates are signed by the CA. Further, the nodes involved in an IPsec relationship setup need also to have one or a plurality of root certificates of the CA in order to be able to verify the correctness of the individual certificates of different nodes.
An Internet Key Exchange (IKE) protocol handles authentication of the nodes using the above certificates. The IKE protocol further generates and updates IPsec session keys for the relations and establishes the actual IPsec relations (tunnels).
The IP addresses of the involved nodes, or at least for one of the nodes (e.g. a centralized security gateway), need to be known in advance or pre-configured in some of the nodes before IPsec relations can be established. This might be a problem since the IP iddresses are not permanent and may change over time. For example, IP addresses IP addresses may be dynamically allocated to IP nodes from an address pool. Further, this might also be a problem since when creating meshed IPsec relations in networks with a large quantity of IP nodes, this requires a lot of pre-configuration on each and every IP node. This might be a problem when mitigating between different versions of the IP protocol.